Set restrictive file permissions on Ceph keyrings for non-containerized deployment

Pass mode parameter 0640 and user and group ownership to puppet-ceph for Ceph openstack client keyrings during non-containerized deployment. Author: Keith Schincke <kschinck@redhat.com> Co-Author: John Fulton <fulton@redhat.com> Change-Id: Iccb24f5c2ee639ad2bc0869a37cec305f32b9fd1 Depends-On: Ie968e6abc6969c37be0a62ac45999093120673d4 Partial-Bug: #1720787 (cherry picked from commit bdf1ade1b9)
2017-10-03 00:21:57 +00:00 · 2017-10-03 00:21:57 +00:00 · 8bf46a66e6
parent 7e4e8ab775
commit 8bf46a66e6
1 changed files with 3 additions and 1 deletions
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@ -132,7 +132,9 @@ outputs:
                cap_mon: 'allow profile bootstrap-osd'
              CEPH_CLIENT_KEY:
                secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                cap_mon: 'allow r'
                cap_osd:
                  str_replace: